Faulty Encryption Could Leave Some Android Apps Vulnerable

According to the findings of an academic research group, the encryption and SSL protection of 41 Android applications are deficient or inadequate. These apps, which have been downloaded up to 185 million times, can be tapped during the communication between the gadget and the web server.

Due to this weak point, hackers were able to access online banking data, data for social nets, e-mail accounts and messaging services, as well as transmit the hacked content. In one of the concerned apps – a virus protection application – the deficient SSL implementation under Android 4.0 (Ice Cream Sandwich) made data theft possible.

Interestingly, the researchers did not specify which applications were insecure. But they consistently pointed out that, according to Google statistics, the concerned programs had already been downloaded between 39,5 and 185 million times.

To demonstrate the described weak points, the researchers connected the test gadgets with a Local Area Network (LAN) and creeped in the Secure Sockets Layer (SSL) and Transportation Layer Security (TLS) encryption protocols with “well-known” attack methods.

“We could tap bank account and credit card data”, wrote the scientists from Leibniz University of Hannover and Phillips University of Marburg. “We seized entrance data and contents, got access to cameras, and could creep in the control channel of apps and remote servers”.

Although there is little evidence that the vulnerable applications were programmed by Google itself, the research group emphasizes that the developers in Mountain View could make the apps offered on Google Play much safer in just a few steps.

We know that Google does a lot for security. Thus, the internet giant has equipped a large part of its web environment with SSL Certificates. As Google itself writes: “Two of the most FAQ to Google in general and Google Apps in particular are security and privacy. We take both topics very seriously and are sure that our products are an excellent choice regarding customers of both areas. Our enterprise is based on trust of our users: trust in our ability to secure data properly, as well as our commitment to the protection of the personal data stored in our systems. It means that we do not give it to the third person or use it inappropriately”.